Launch the Firewall Template
Learn how to launch VM-Series Auto Scaling template for AWS to integrate a VM-Series auto scaling group with a gateway load balancer.
This workflow describes how to deploy the firewall template.
All VM-Series firewall interfaces must be assigned an IPv4 address when deployed in a public cloud environment. IPv6 addresses are not supported.
- Modify theinit-cfg.txtfile and upload it to the/configfolder.Ensure that you use the device group and template names you created above in the init-cfg.txt file.Because you use Panorama to bootstrap the VM-Series firewalls, yourinit-cfg.txtfile should be modified as follows. Nobootstrap.xmlfile is needed.type=dhcp-client ip-address= default-gateway= netmask= ipv6-address= ipv6-default-gateway= hostname= vm-auth-key= panorama-server= panorama-server-2= tplname= dgname= dhcp-send-hostname=yes dhcp-send-client-id=yes dhcp-accept-server-hostname=yesdhcp-accept-server-domain=yes plugin-op-commands=aws-gwlb-inspect:enableYour init-cfg.txt file must includeplugin-op-commands=aws-gwlb-inspect:enable. This is required when integrating the VM-Series firewall with a GWLB.
- Add the license auth code in the/licensefolder of the bootstrap package.
- Use a text editor to create a new text file namedauthcodes(no extension).
- Add the authcode for your BYOL licenses to this file, and save. The authcode must represent a bundle, and it must support the number of firewalls that might be required for your deployment. If you use individual authcodes instead of a bundle, the firewall only retrieves the license key for the first authcode in the file.
- Upload Lambda code for the firewall template (panw-aws.zip) and the Application template (app.zip) to an S3 bucket. You can use the same S3 bucket that you use for bootstrapping.If the Application stack is managed by a different account than the firewall, use the Application account to create another s3 bucket in the same AWS region as the firewall template and copyapp.zipto that s3 bucket.
- Select the firewall template.
- In the AWS Management Console, select.CloudFormationCreate Stack
- SelectUploadthe latest firewall template from the Git repository, to choose the firewall template to deploy the resources that the template launches. Click Open and Next.
- Specify the Stack name. The stack name allows you to uniquely identify all the resources that are deployed using this template.
- Enter a descriptiveNamefor your stack. The name must be 28 characters or less.
- Configure the parameters for the VPC.
By default, the template uses CPU utilization as the scaling parameter for the VM-Series firewalls. Custom PAN-OS metrics are automatically published to the CloudWatch namespace that matches the stack name you specified earlier.
- Enter the number of availability zones and select the region from the availability zone drop-down.
- Look up the AMI ID for the VM-Series firewall and enter it. Make sure that the AMI ID matches the AWS region, PAN-OS version and the BYOL or PAYG licensing option you opted to use. See Get the Amazon Machine Image IDs for more information.
- Select the EC2Key pair(from the drop-down) for launching the firewall. To log in to the firewalls, you must provide the name of this key pair and the private key associated with it.
- SelectYesif you want toEnable Debug Log. Enabling the debug log generates more verbose logs that help with troubleshooting issues with the deployment. These logs are generated using the stack name and are saved in AWS CloudWatch.
- Specify the name of the Amazon S3 bucket(s).
- Enter the name of the S3 bucket that contains the bootstrap package.If the bootstrap bucket is not set up properly or if you enter the bucket name incorrectly, the bootstrap process fails, and you cannot log in to the firewall. Health checks for the load balancers also fail.
- Enter the name of the S3 bucket that contains the panw-aws.zip file. As mentioned earlier you can use one S3 bucket for the Bootstrap and Lambda code.
- Specify the keys for enabling API access to the firewall and Panorama.
- Enter the key that the firewall must use to authenticate API calls. The default key is based on the sample file and you should only use it for testing and evaluation. For a production deployment, you must create a separate PAN-OS login just for the API call and generate an associated key.
- Enter the API Key to allow AWS Lambda to make API calls to Panorama. For a production deployment, you should create a separate login just for the API call and generate an associated key.
- Add your AWS account number(s). You must provide the account number used to deploy any VPC that is connected to your GWLB. Add these values as a comma-separated list. You can add additional account numbers after deploying the template.To locate your account number, click your AWS username in the top right of the AWS console and selectMy Security Credentials.
- Enter the transit gateway ID. The transit gateway ID is required to secure east-west and outbound traffic. If you do not enter a transit gateway ID, the template assumes that only inbound traffic should be inspected by firewalls integrated with the GWLB.
- Enter the CIDR for the security VPC.
- Review the template settings and launch the template.
- SelectI acknowledge that this template might cause AWS CloudFormation to create IAM resources.
- ClickCreateto launch the template. The CREATE_IN_PROGRESS event displays.
- On successful deployment the status updates to CREATE_COMPLETE.
- Verify that the template has launched all required resources.
- Create rules allowing the NAT gateway IP address(es) on the security group where your Panorama appliance is deployed. This is required to allow your firewalls to connect to Panorama. You can find the list of NAT gateway IP addresses in the CFT security stack output.
- Access the AWS VPC console.
- SelectSecurity Groupson the navigation pane.
- Select the security where Panorama is deployed.
- Select.ActionsEdit Inbound RulesAdd rule
- Add rules allowing the NAT gateway IP addresses for Custom TCP Rule for port range 3978.
- ClickSave rules.